|By Peter Weger||
|February 5, 2011 05:15 AM EST||
The WikiLeaks security fiasco has shed a lot of light on document security and its inherent irony: namely that the more confidential a document is, the more it's likely to be shared. Web Security Journal reached out to the CEO of Brainloop, Peter Weger, to discuss document compliance management as a risk mitigation strategy.
Web Security Journal: What security issues do you see becoming more pervasive in the coming months?
Peter Weger: A frequently unaddressed challenge is that companies’ most confidential documents are often those that travel the most outside the enterprise. Business depends on sharing information in collaborative processes like coordination among board members; working with research, supply and distribution partners; and communications with outside experts such as external counsel, consultants, auditors and regulatory authorities. However the more a document has to be accessed outside the corporate network, the greater the risk of leakage, so a company’s most sensitive documents are at much greater risk than other documents.
Web Security Journal: How do most businesses enable collaboration today?
Email continues to be the most common method used for information sharing and communication. Organizations tend to collaborate through this ubiquitous technology, sending emails to their employees, partners, suppliers and customers. These emails, of course, include content, attachments and links, some of which contain sensitive information.
To supplement email functionality, individual departments sometimes acquire Cloud-based collaboration applications, often without advice from corporate IT on the selection, vetting or implementation of these services. These systems provide rudimentary content storage, distribution and work flow that email lacks.
Web Security Journal: Where do the current methods fall short?
Weger: To state the obvious, email was not designed to be a real-time, multi-user, secure collaboration system. We know that email makes it extremely easy for security policies to be bypassed. A simple “reply all” can find an employee, either unintentionally or maliciously, sending sensitive information to one or more unintended recipients. Email and any attachments that arrive at the recipient’s mail client could be forwarded to other parties that may not have the right or need to view the information. In this latter instance, the organization that owned the data may never find out that this unexpected data sharing activity took place.
Most commercially-available Cloud-based collaboration offerings were purpose-built with a simple, primary objective of sharing information; security became an afterthought for most products. This becomes a serious risk when you consider that these products typically leave the control of the policy and access to the data in the hands of the collaboration solution provider. Some of the top-performing solutions have attempted to wrap security around the content in such a way that end users can apply document protections, requiring them to define the classification and sharing policies themselves. Of course, by putting the decision into the hands of end users with no experience in defining policy, and without the perspective of the company’s central policy standard, poor decisions could be made and sensitive data still exposed to unauthorized access and misuse. Organizations with hundreds of users have no way to ensure consistent application of security measures. In addition to putting their own documents at risk, using unsecure collaboration applications may result in companies violating their contractual obligations to protect their partners’ confidential information.
To address some of these risks, organizations continue to make significant investments in the various perimeter security technologies designed to prevent information from leaving the organization. Some of the technologies used include firewalls, network intrusion prevention systems (IPS), data loss/leak prevention (DLP) and more. The main problem with this ‘protect the perimeter’ approach is that these products focus on protecting at the infrastructure layer, not on the information itself, which must travel outside the network in order for the company to function. This effectively still leaves the user in control of the information’s destiny, which usually leads to the dangerous choice of expedience over security.
Web Security Journal: What is DCM and how does it fit in?
Weger: Document Compliance Management is a discipline that proactively manages information risk arising from sharing documents electronically.
As organizations move more of their information management processes outside the firewall to the extended enterprise, end users’ demands for collaboration come into conflict with corporate demands to protect information through consistent policy application and control over distribution. DCM seeks to reconcile these demands by creating security provisions that move with documents throughout their lifecycles, both inside and outside the network.
Web Security Journal: What are some of its applications?
Weger: Organizations that are struggling to collaborate while meeting their regulatory, compliance and governance requirements are grappling with the issues Document Compliance Management addresses. Ultimately, these organizations want to collaborate and transact securely within their communities of trust. Regulatory auditors will look for a complete audit trail that captures the entire lifecycle of the organization’s sensitive information; who had access to which documents at which point in time.
Consider the scenario in which inside counsel is required to work with outside counsel, each sharing sensitive legal documents with their counterparts on the other end. They need to maintain control over their documents after they have left the corporate network and they are required to keep a full audit trail of all document activity. They may deal with documents of varying levels of sensitivity, and need an easy way for end users to apply the appropriate controls to each document.
Another example is the Human Resources team collaborating with healthcare providers, financial services providers, state and federal tax entities, and more. Again, the documents need to be shared with trust and a full audit trail must be available to ensure that employees’ personal information has been protected as it passes to external parties. Some key components of this audit trail must document which information has been provided to which business partner, and whether or not they were able to print it, save it locally, or forward it to other people.
Web Security Journal: Why not just block all access by default?
Weger: Looking historically at security, most responses to attacks, breaches or compliance exceptions have been to shut down the operation or block the action. Years ago, when organizations experienced viruses running wild through their email systems, they simply shut down email until the problem was resolved. If they were worried about data leaving via USB sticks, they would blanket block the use of USB ports throughout the entire organization. We see this same model being applied to data protection within the collaboration space -- classify data as being sensitive and block it from being shared.
This model fails miserably. A block-by-default policy goes against the business models of today, which rely on employees, partners, suppliers, legal counsel, and other outside parties who must collaborate with each other using sensitive information.
Therefore, the main goal for DCM is to provide a secure means for end users to collaborate within corporate and regulatory policy for all approved parties, both inside and outside the organization. Corporate policy makers should risk rank business processes, define security policies and classifications, and roll them out to end users in a secure collaboration platform. This would ensure the proper use of documents, doing so in a way that is easy and transparent for the end user, without putting the end user in the unenviable position of having to make policy decisions. It must be simple enough that users will be comfortable doing their jobs within the systems they are already familiar with, as opposed to working around a protected system that is blocking them from collaborating.
Web Security Journal: What should an organization consider when implementing DCM?
Weger: Organizations should try to include these features in their own DCM programs:
- Centralized data classification, policy definition, and policy enforcement capabilities
- Enables end users to do their job without having to think about security, doing so without making them work outside of their existing business processes
- Is flexible enough to support a variety of business processes to prevent the proliferation of disparate point solutions, and can be easily integrated with the company’s existing ecosystem.
Organizations tend to focus on the tactical problems they face with data protection and often look to solve them with technology delivered by their traditional perimeter security vendor. If an organization really wants to be successful in enabling secure business collaboration, they must approach the problem at the document/information level; develop a plan to define and enable their end users, partners, and others to securely collaborate within the boundaries of their internal and/or regulatory constraints.
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it's a mix of architectural styles ...
Jan. 30, 2015 12:30 AM EST Reads: 3,012
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Jan. 29, 2015 06:15 PM EST Reads: 4,094
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
Jan. 29, 2015 06:00 PM EST Reads: 3,279
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness, and in-car entertainment and this excitement will bleed into other areas. On the commercial side, m...
Jan. 29, 2015 06:00 PM EST Reads: 3,031
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
Jan. 29, 2015 05:00 PM EST Reads: 4,081
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
Jan. 29, 2015 03:30 PM EST Reads: 3,062
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Jan. 29, 2015 02:30 PM EST Reads: 2,621
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
Jan. 29, 2015 02:15 PM EST Reads: 3,190
SYS-CON Media announced that Splunk, a provider of the leading software platform for real-time Operational Intelligence, has launched an ad campaign on Big Data Journal. Splunk software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. The ads focus on delivering ROI - how improved uptime delivered $6M in annual ROI, improving customer operations by mining large volumes of unstructured data, and how data tracking delivers uptime when it matters most.
Jan. 29, 2015 02:00 PM EST Reads: 3,800
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water, are pursuing SmartGrid initiatives that represent one of the more mature examples of SAE. We have s...
Jan. 29, 2015 01:30 PM EST Reads: 3,118
Since 2008 and for the first time in history, more than half of humans live in urban areas, urging cities to become “smart.” Today, cities can leverage the wide availability of smartphones combined with new technologies such as Beacons or NFC to connect their urban furniture and environment to create citizen-first services that improve transportation, way-finding and information delivery. In her session at @ThingsExpo, Laetitia Gazel-Anthoine, CEO of Connecthings, will focus on successful use cases.
Jan. 29, 2015 01:30 PM EST Reads: 2,040
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
Jan. 29, 2015 01:30 PM EST Reads: 2,963
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.
Jan. 29, 2015 01:15 PM EST Reads: 2,550
“With easy-to-use SDKs for Atmel’s platforms, IoT developers can now reap the benefits of realtime communication, and bypass the security pitfalls and configuration complexities that put IoT deployments at risk,” said Todd Greene, founder & CEO of PubNub. PubNub will team with Atmel at CES 2015 to launch full SDK support for Atmel’s MCU, MPU, and Wireless SoC platforms. Atmel developers now have access to PubNub’s secure Publish/Subscribe messaging with guaranteed ¼ second latencies across PubNub’s 14 global points-of-presence. PubNub delivers secure communication through firewalls, proxy ser...
Jan. 29, 2015 12:45 PM EST Reads: 1,665
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
Jan. 29, 2015 12:30 PM EST Reads: 1,889
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
Jan. 29, 2015 12:15 PM EST Reads: 1,820
Jan. 29, 2015 12:00 PM EST Reads: 7,975
The Internet of Things promises to transform businesses (and lives), but navigating the business and technical path to success can be difficult to understand. In his session at @ThingsExpo, Sean Lorenz, Technical Product Manager for Xively at LogMeIn, demonstrated how to approach creating broadly successful connected customer solutions using real world business transformation studies including New England BioLabs and more.
Jan. 29, 2015 12:00 PM EST Reads: 2,622
Connected devices and the Internet of Things are getting significant momentum in 2014. In his session at Internet of @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, examined three key elements that together will drive mass adoption of the IoT before the end of 2015. The first element is the recent advent of robust open source protocols (like AllJoyn and WebRTC) that facilitate M2M communication. The second is broad availability of flexible, cost-effective storage designed to handle the massive surge in back-end data in a world where timely analytics is e...
Jan. 29, 2015 12:00 PM EST Reads: 2,563
"There is a natural synchronization between the business models, the IoT is there to support ,” explained Brendan O'Brien, Co-founder and Chief Architect of Aria Systems, in this SYS-CON.tv interview at the 15th International Cloud Expo®, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Jan. 29, 2015 11:45 AM EST Reads: 3,570